Orchardcore: Bring back the authentication module and allow customizing the authentication settings

It sounds good.

For me the two last points are a single one. Also, to what extent could we just have to enable/disable the Users module and a few external providers features to get the full matrix? Meaning we would not even need a new module to expose these possibilities. I don't see anything special we'd have to do to support this, or maybe this new module would just own the UI for login/account management, and check for IUserManager and other providers to create the login view. The one that is currently in the Users module.

I assume we'll require this Auth module as the configuration becomes complex, like configuring the providers. And maybe exposing the providers as features too.

All of this should not be hard to do with all the work that has already been done, and the whole feature set sounds terrific.

For me the two last points are a single one.

With a difference: in the first case, you'll want to immediately redirect the user to the external provider instead of rendering a login form offering to select the provider you want to log in with.

I don't see anything special we'd have to do to support this, or maybe this new module would just own the UI for login/account management. I assume we'll require this Auth module as the configuration becomes complex, like configuring the providers. And maybe exposing the providers as features too.

Yup, that's the idea. Ideally, this module shouldn't even depend on Identity.

All of this should not be hard to do with all the work that has already been done, and the whole feature set sounds terrific.

I don't think it will be that easy. Many components in Orchard directly use Identity or IUserService, that both depend on the fact we have a local users database (under the hood, the default implementation uses Identity). If we want to support scenarios where the local database is not used (or doesn't even exist), we'll have to decouple the modules that use the user service.

Note: in my 2 posts, I said "external providers", but it's also applicable to the cases where the provider is actually another tenant with the OpenID server feature active.

With a difference: in the first case, you'll want to immediately redirect the user to the external provider instead of rendering a login form offering to select the provider you want to log in with.

It's just that the page shows all the available auth possibilities. One, or many. And if Users is enable another one which is a login form.

Ok, it will be a good exercise to abstract the authentication, correct.

So should we add an abstraction component OrchardCore.Identity that defines services to signin register etc that then are implemented by OrchardCore.Users and OrchardCore.Roles which just happen to use AspNetCore.Identity as the implementation and store data as content?

Then OrchardCore.Authentication would use OrchardCore.Identity abstraction layer?

We should talk about it during a meeting. If you can't join the weekly one let's do a custom one that works for everyone.

@sebastienros @PinpointTownes Is there any update on this?

I see a lot of security related issues are scheduled for RC.

@Narnain nope. Would you be interested in contributing?

@PinpointTownes I would be happy to help where I can. I see petedavis's comment and mention of a meeting. Are there any notes or an overview of a plan, or a branch where this work has been started?

I'm not aware of anything concrete, but I'm sure it was at least mentioned at some point during a review. Sounds like a good question for @sebastienros 😄

I am interested in pt. 2: "I want a local users database but I don't want to support password authentication. For that, my users have to log in using one or multiple external providers." We have an existing idp and that I want to run all authentication through. Is this possible today? If not, if you guide me I'd be happy to work on making this possible.

This is supported today, you can enable the OpenID client module and check it out. What is missing is the mapping of your Idp roles with application roles. Also orchard should have an option to disable local users login, and auto redirect users to Idp for authentication. Now it presents a list with external providers to login. If you need and social logins, you could setup a tenant with OpenID connect server and add your Idp and several social login providers. Then each tenant could authenticate through the orchard Idp.

I want a local users database and I also want to allow my users to log in using one or multiple external providers (e.g Facebook/Google, Auth0, Azure AD or an OpenIddict deployment). This is the approach currently supported.

I want a local users database but I don't want to support password authentication. For that, my users have to log in using one or multiple external providers.

I don't want to use a local users database (i.e OrchardCore.Users) and I want to rely on a single external provider for that. This means authentication in OC has to work even if we don't include/enable the OrchardCore.Users module.

I don't want to use a local users database (i.e OrchardCore.Users) and I want to allow a user to log in using multiple external providers.

Is there a scenario we don't support yet? I could only think about the one without local auth, which we don't have an option to disable right now.

We are also very interested in option 2 above. @sebastienros is there any way we can up vote this feature to get it onto version 1.0 :) ? Our client uses OIDC but storing passwords in Orchard is a no no.

@horlszone definitely supported, and you can even use multiple ones. We provide GitHub, Twitter, Google, Facebook, Microsoft. I also just merged this PR (https://github.com/OrchardCMS/OrchardCore/pull/3488) that allows these providers to completely skip the local registration form, such that you can automate the local usernames based on the external providers.

Can I just clarify whether scenarios 3/4 are available? We have a separate IdentityServer instance with all the user information, so pt 3 potentially makes the most sense for us. If not, 2 will work as well (just may require some additional work to "sync" data I guess). Thanks!

@andrewlock the scenarios 3/4 are not yet supported , but you have the ability to use only the external provider. You can create a module to map claims issued by the external provider to OC roles, or if you don't wish to create a module use a js script in settings.

Thanks for the clarification @MichaelPetrinolis 👍

@andrewlock Hello, how did you solve this? I'm currently also facing no. 3 scenario (Identityserver4 for authentication + user management WebApi used to create/read/update/delete users and their roles).

@MichaelPetrinolis could you please add few more details about how to achieve this? How can i use only external provider (ours is identityserver4 based, https://demo.identityserver.io/) without any user data in Orchard DB?

@agono OC needs local users and roles. In order not to have local users/roles you must implement all the user/role/permissions related services. What you can do, is setup OpenID client, configure external registration settings (https://docs.orchardcore.net/en/dev/docs/guides/azuread-integration/#configure-registration-settings) and configure how to map users/roles through script (check how-to) or by registering an IExternalLoginEventHandler implementation. Also enable the option to auto challenge the external provider instead of waiting for username password. The local users will be created and assigned the username/roles that you define in the script/IExternalLoginEventHandler. There is no need to sync user/roles between IS4 and OC, as users login they will be created/updated and get the OC roles that you define based on the claims/roles they have in IS4

@agono I did not solve this, no - the project went in a different direction (static site generation) so I haven't looked at it again

@agono OC needs local users and roles. In order not to have local users/roles you must implement all the user/role/permissions related services. What you can do, is setup OpenID client, configure external registration settings (https://docs.orchardcore.net/en/dev/docs/guides/azuread-integration/#configure-registration-settings) and configure how to map users/roles through script (check how-to) or by registering an IExternalLoginEventHandler implementation. Also enable the option to auto challenge the external provider instead of waiting for username password. The local users will be created and assigned the username/roles that you define in the script/IExternalLoginEventHandler. There is no need to sync user/roles between IS4 and OC, as users login they will be created/updated and get the OC roles that you define based on the claims/roles they have in IS4

@MichaelPetrinolis , question:
If I will run orchard in localhost, with no access to internet (after first sync with is4 done), will user login?
Also, I am not sure I get it, when user mapped to oc, when trying to login?